Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Realtors Be Aware: You Are a Target - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Realtors Be Aware: You Are a Target

Real estate transactions are some of the higher value transactions performed by individuals and organizations. They often exceed hundreds of thousands of dollars in value, and for commercial properties, millions of dollars are quite normal. Many buyers and sellers are not familiar with what is normal when it comes to real estate transactions. Over the last few years, we have seen this exploited in a specific form of "Business E-Mail Compromise," where an attacker is injecting e-mails into conversations to trick the victim to transfer money to the wrong account.

A weak link in this transaction is often the realtor. Realtor's e-mail addresses are easy to find. Many realtors work more or less on their own and do not benefit from a corporate IT department with security monitoring. Instead, they use public webmail systems and heavily rely on cloud-based file sharing systems and e-mail attachments to exchange documents.

Recently, a realtor aware of this issue forwarded me the following exchange. Initially, the realtor received an e-mail that is very typical for the type of e-mail realtors receive from new clients:

Hi   My name is James  . I got your contact while searching for good realtor in Florida. My Partner and I are planning to relocate to the area by year end and would be interested in buying a house.  Are you full time realtor?.   Are we also suppose to contact bank as we are very new to this.

The realtor sent more or less a standard reply:

Hi, James: I will be very happy to help you with finding a home here. The first step is to get a mortgage pre approval letter. If you do not have any mortgage agent, I can recommend some. Give me a call when you have time.

Note that the realtor is asking for a mortgage pre-approval letter. This is a common "first step" to find out how much money the buyer can spend on a new house. Of course, James responded the next day:

Thanks  for getting  back to me on my request to purchase a house and sorry for the late response . I have been busy with some project . I actually got your contact while looking for good realtors online . Presently i live in Palos Hills Chicago, but i wish to have a property in your state for Income Revenue.Am interested in purchasing a 3 to 4 bed room house with a large parking garage ( a house with a pool within our price range will be perfect ).  I was told  i needed pre approval so  i obtained it  from my bank. I have shared it with you as well as details on desired location and  what I'm looking for via google docs . Check it and let me know so i can call you when i finish from meeting to decide when to come and view the property. 
Kind  Regards James        
Approval letter.pdf

Again, the e-mail is in-line with what you would expect from a buyer. Note the link to the "Approval Letter." This is where things get more interesting.

The link went to http:// myrealestategoogldrive .atspace.cc/ . A fairly "plausible" URL for a link like this. There are dozens of different file sharing sites out there, and this hostname is certainly in line with what a realtor would consider normal.

The site has been taken down now, but it offered a login screen asking for the realtor's webmail credentials. This is where the realtor contacting me got suspicious, so we do not know what "James" would have done with the credentials. But typically, the next steps involve:

  • "James" will use the realtor's e-mail credentials to log into the webmail system
  • Then, "James" will add a "Forward" address. This way, James will receive copies of all e-mails send to the realtor
  • Once an e-mail comes across the realtor's inbox asking for bank details to wire money, "James" will reply with his information

The result, if successful, is that the buyer transfers money to the wrong account. Sadly, these wire transfers ("ACH Transfers") are often not reversible. The money will typically go first to a domestic account that "James" is monitoring, and as soon as the money arrives, it will be forwarded to a foreign account at which point the trail of the money often gets lost.

Yes, the e-mails from "James" contain typos and bad grammar. But realtors will typically happily do business with you even if you are not an expert in the use of the English language.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Johannes

3089 Posts
ISC Handler
I work part-time as a real estate agent and full-time as a vulnerability assessor. At one point I was receiving 2-3 of these targeted emails every week. Fortunately I'm fairly quick to recognize things like this and just delete it, but if it's of interest to anyone I may have a few emails with pdf's attached in one of my email boxes.
Anonymous

Posts
Great points. There are many sectors like realtors that are quite vulnerable, yet they are not aware. Blogs like this help get the word out.
Not to be a pessimist, but I doubt many realtors read this blog. The enemy is after professions like realtors, lawyers, accountants, etc., yet they don't realize the risks they take everyday with other people's sensitive information. Ignorance and complacency are enemies of security.

My question is this: How do we get this message out to these groups? How do we help them understand the threats are real? Perhaps we can get security professionals to present at their trade shows and conferences. Also, security professionals need to take every chance they get to educate the masses.

Security professionals, please use the great info provided by SANS to get the word out. Little steps go a long way. Otherwise, it's just preaching to the choir.
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!